public IoTHardwareIntegratorTests(ITestOutputHelper log)
{
this.log = log;
this.config = new Mock <IConfig>();
this.config.Setup(c => c.IoTDeployerName).Returns("technician-z");
this.mockCA = new Mock <ICertificateAuthority>();
DateTimeOffset now = DateTimeOffset.UtcNow;
this.chain = new X509Certificate2Collection(X509CertificateOperations
.CreateChainRequest(
"CN=Fabrikam CA Root (Unit Test Use Only)",
RSA.Create(3072),
HashAlgorithmName.SHA512,
true, null)
.CreateX509SelfSignedCert(
10000));
this.mockCA
.Setup(ca => ca.CreateSignedCrt(It.IsAny <CertificateRequest>()))
.Returns((CertificateRequest csr) =>
csr.CreateX509Cert(
this.chain[0],
4000));
this.mockCA.Setup(ca => ca.personalSignedX509Certificate)
.Returns(this.chain[0]);
}
// Install a signed leaft X509 Cert in a Device HSM-based
private IIoTDevice InjectChainOfTrust(IIoTDevice device,
X509Certificate2Collection chain)
{
if (device == null)
{
throw new ArgumentNullException(nameof(device));
}
X509Certificate2 deviceLeafCert = null;
// Create csr for a Device
CertificateRequest deviceLeafRequest =
X509CertificateOperations.CreateChainRequest(
this.GenerateLeafCertDistinguishedName(
device
.HardwareSecurityModel
.GetUniqueDeviceId),
device.HardwareSecurityModel.GetPublicKey,
HashAlgorithmName.SHA256,
false, null);
// issue a signed leaf crt
deviceLeafCert = this.CreateSignedCrt(deviceLeafRequest);
device.HardwareSecurityModel.StoreX509Cert(deviceLeafCert, chain);
return(device);
}
private X509Certificate2 AcquireCASigneIntermediateCertWithKey()
{
X509Certificate2 intermedCertWithKey = null;
using (AsymmetricAlgorithm intermedPrivKey = RSA.Create(2048))
{
// Create csr
CertificateRequest intermedRequest =
X509CertificateOperations.CreateChainRequest(
IntermedDistinguishedName,
intermedPrivKey,
HashAlgorithmName.SHA384,
true, null);
// Request Root CA to issue a signed intermed crt
X509Certificate2 intermedCert = this.rootCertificateAuthority
.CreateSignedCrt(intermedRequest);
// Save its private key for future issuing as Itermediate CA
intermedCertWithKey = intermedCert
.CloneWithPrivateKey(intermedPrivKey);
intermedCert.Dispose();
}
return(intermedCertWithKey);
}
public DeviceHSMX509StoreTests(ITestOutputHelper log)
{
this.log = log;
this.deviceHSM = new DeviceHSM();
this.chain = new X509Certificate2Collection(
X509CertificateOperations
.CreateChainRequest(
"CN=Fabrikam CA Root (Integration Test Use Only), O=Fabrikam Drone Delivery",
RSA.Create(3072),
HashAlgorithmName.SHA512,
true,
null)
.CreateX509SelfSignedCert(
2));
this.leaf = X509CertificateOperations
.CreateChainRequest(
"CN=Fabrikam Leaf (Integration Test Use Only), O=Fabrikam Drone Delivery",
this.deviceHSM.GetPublicKey,
HashAlgorithmName.SHA256,
false,
null)
.CreateX509Cert(
this.chain[0],
1);
this.ca = new Mock <ICertificateAuthority>();
}
public CertificateAuthorityTests(ITestOutputHelper log)
{
this.log = log;
this.config = new Mock <IConfig>();
this.config.Setup(c => c.IoTCompanyName).Returns("company-x");
this.config.Setup(c => c.IoTHardwareIntegratorName)
.Returns("factory-y");
this.deviceHSM = new DeviceHSM();
DateTimeOffset now = DateTimeOffset.UtcNow;
this.Chain = new X509Certificate2Collection(X509CertificateOperations
.CreateChainRequest("CN=rootCATests",
RSA.Create(3072),
HashAlgorithmName.SHA512,
true, null)
.CreateSelfSigned(now,
now.AddDays(2)));
this.leafCsr = X509CertificateOperations
.CreateChainRequest("CN=leafCATests",
this.deviceHSM.GetPublicKey,
HashAlgorithmName.SHA256,
false, null);
}
public void CanRunChainOfTrustForEndEnitiyLeafX509Certificates()
{
// Arrange
const string endEntityLeafDistinguishedName = "CN=End Entity Leaf Certificate, O=Fabrikam_DD";
X509Certificate2 rootCACert,
intermed1Cert,
intermed2Cert,
endEntityLeafCertificate = null;
rootCACert = this.rootCA.personalSignedX509Certificate;
intermed1Cert = this.intermed1CA.personalSignedX509Certificate;
intermed2Cert = this.intermed2CA.personalSignedX509Certificate;
CertificateRequest endEntityLeafCSR = null;
string errMsg = null;
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.ExtraStore.Add(intermed2Cert);
chain.ChainPolicy.ExtraStore.Add(intermed1Cert);
chain.ChainPolicy.ExtraStore.Add(rootCACert);
// Act
try
{
endEntityLeafCSR = X509CertificateOperations
.CreateChainRequest(
endEntityLeafDistinguishedName,
RSA.Create(1536),
HashAlgorithmName.SHA256,
false, null);
endEntityLeafCertificate = this.intermed2CA
.CreateSignedCrt(
endEntityLeafCSR);
errMsg = RunChain(
chain,
endEntityLeafCertificate,
"Verify chain of trust for End Entity Leaf X509 Cert");
}
finally
{
DisposeChainCerts(chain);
}
// Assert
Assert.True(string.IsNullOrEmpty(errMsg), errMsg);
Assert.NotNull(endEntityLeafCertificate);
Assert.False(endEntityLeafCertificate.HasPrivateKey);
Assert.NotNull(endEntityLeafCertificate.GetRSAPublicKey());
Assert.True(endEntityLeafCertificate.NotAfter <= (DateTimeOffset.UtcNow.AddDays(30)));
Assert.False(string.IsNullOrEmpty(endEntityLeafCertificate.Thumbprint));
Assert.True(endEntityLeafCertificate.Version >= 3);
}
protected virtual void Dispose(bool disposing)
{
this.leaf?.Dispose();
this.chain[0]?.Dispose();
X509CertificateOperations.RemoveCertsByOrganizationName(
StoreName.My,
StoreLocation.CurrentUser,
"Fabrikam Drone Delivery");
X509CertificateOperations.RemoveCertsByOrganizationName(
StoreName.Root,
StoreLocation.CurrentUser,
"Fabrikam Drone Delivery");
deviceHSM?.Dispose();
}
private X509Certificate2 CreateRootCASelfSignedCertWithKey()
{
X509Certificate2 rootCACertWithKey = null;
// Well kwnon CA cert. It belongs to the CA API, it should just sign the very first intermediate cert
using (AsymmetricAlgorithm rootKeyCAPrivKey = RSA.Create(3072))
{
// Create CSR
CertificateRequest rootKeyCARequest = X509CertificateOperations
.CreateChainRequest(
this.RootCADistinguishedName,
rootKeyCAPrivKey,
HashAlgorithmName.SHA512,
true, null);
rootCACertWithKey = rootKeyCARequest
.CreateX509SelfSignedCert(
10000);
}
return(rootCACertWithKey);
}
private static void CleanupStore()
{
Console.Write("Clean up X509 Cert Personal Store...");
X509CertificateOperations.RemoveCertsByOrganizationName(
StoreName.My,
StoreLocation.CurrentUser,
"Fabrikam Drone Delivery");
Console.Write("OK!\n");
Console.Write("Clean up X509 Cert CA Store...");
X509CertificateOperations.RemoveCertsByOrganizationName(
StoreName.CertificateAuthority,
StoreLocation.CurrentUser,
"Fabrikam Drone Delivery");
Console.Write("OK!\n");
Console.Write("Clean up X509 Cert Root Store...");
X509CertificateOperations.RemoveCertsByOrganizationName(
StoreName.Root,
StoreLocation.CurrentUser,
"Fabrikam Drone Delivery");
Console.Write("OK!\n");
}
public async Task GenerateProofOfVerficationAsync(
string verificationCode,
string fileName = null)
{
fileName = fileName ?? $".\\{verificationCode}.cer";
using (AsymmetricAlgorithm popPrivKey = RSA.Create(1536))
{
// generate csr for Azure DPS PoP
CertificateRequest proofCsr =
X509CertificateOperations.CreateChainRequest(
verificationCode,
popPrivKey,
HashAlgorithmName.SHA256,
false, null);
// generate the proof
X509Certificate2 popCert = this.CreateSignedCrt(proofCsr);
// save to .cer so tje private key owner can proof the possesion by uploading the new signed cert
await popCert.ExportToCerAsync(fileName).ConfigureAwait(false);
}
}
